Category Archives: Cryptography

The NYT has a great story today, Miss a Payment? Good Luck Moving That Car on sub-prime loans for cars requiring that buyer accept installation of an immobilizer that can be operated by remote control by the lender’s agents. The article concentrates on ways in which these are being abused, e.g. immobilizing cars in traffic, far from home, when payments are not in fact late, and more.

It also hints at a group of legal issues, notably privacy (the GPS technology on which the immobilizer relies makes cars trackable by the monitoring company), and whether state laws on repossession — which require more notice, or more time between a missed payment and authorized action by the lender — should apply to a ‘virtual repossession’ or not. (Attention: Student note topic seekers. Doing this analysis in just one state would be a fine topic, and a social good.)

Then there’s the sociological aspects,

Beyond the ability to disable a vehicle, the devices have tracking capabilities that allow lenders and others to know the movements of borrowers, a major concern for privacy advocates. And the warnings the devices emit — beeps that become more persistent as the due date for the loan payment approaches — are seen by some borrowers as more degrading than helpful.

“No middle-class person would ever be hounded for being a day late,” said Robert Swearingen, a lawyer with Legal Services of Eastern Missouri, in St. Louis. “But for poor people, there is a debt collector right there in the car with them.”

Missing, though, is the first thing that occurred to the cypherpunks when this technology first got mooted over a decade ago: How long until it is hacked? What happens when some bad guy starts war driving with a black box immobilizer causing accidents or other harms? And to what extent will the makers of the immobilizer be liable for those harms? Another good student note, at the very least.

[Note: Edited to add italicized line in second paragraph, which mysteriously got cut out before posting.]

I think I’ve pretty much got https working on this blog. At present it will serve up both unencrypted or encrypted versions depending what you ask for. The encrypted version is, at least on my computers, noticeably slower to turn up.

So the question is, What do I do now? Should I turn of http and forward all traffic to https? If I do so, should I remove the remaining insecure items, which I take to be the counters and the little map that shows where visitors come from? Is there a free counter somewhere that is https compliant? If I don’t force https, what’s the point of having the encrypted version there if almost no one other than the people running EFF’s great https-everywhere plugin will ever see it?

I’ve purchased a certificate for the blog so it can run on SSL/TLS, ie have an https address.

Little did I know how much grief this would cause. However, I only locked myself out of the blog once, and with the help of of a WordPress https plugin I am gradually reducing the number of mixed-content errors.

Snowden’s revelations must be especially hard on the psychiatric profession. If one patient dismisses the idea that the government is spying on him, and the other is convinced that the government is working with major electronics manufacturers to put listening devices in his personal belongings, which one do you diagnose as being unable to distinguish reality from fantasy?

At a University committee meeting recently, I suggested the University should provide us all with encryption so we can protect our data on our computers, and in transit, as it was at risk of interception. The ranking University official at the meeting smiled dismissively and said something along the lines of ‘Well, if you are worrying about that…”. I said, “but it’s national policy – the President announced it.” He stopped smiling.

Dropbox, Google, SpiderOak and Sonic.net Score Five out of Five in Crypto Best Practices

San Francisco – The Electronic Frontier Foundation (EFF) today published a new infographic to illustrate how 18 service providers are encrypting communication. The chart supplements EFF’s popular “Who Has Your Back” series, which evaluates how companies respond to government requests for user information.

Over the last three weeks, EFF surveyed the companies on whether they are now employing or have concrete plans to employ a set of five best practices: Encryption of data center links, Hypertext Transfer Protocol Secure (HTTPS) support, HTTP Strict Transport Security (HSTS) support, forward secrecy and STARTTLS for email encryption.

Four of the companies surveyed-—Dropbox, Google, SpiderOak and Sonic.net—-are implementing all of the measures. In addition, six companies-—the aforementioned four, plus Twitter and Yahoo–are taking, or have committed to taking, the critical step of encrypting the connections for their data centers to protect against backdoor access like the NSA’s MUSCULAR program.

“In light of the National Security Agency’s unlawful surveillance programs, as well as other threats to network security, it is now more important than ever to deploy strong encryption throughout networks,” EFF Senior Staff Attorney Kurt Opsahl said. Like all EFF content, the infographic is available for publication at no cost under the Creative Commons-Attribution License.